package com.tous.cloud.gateway.config;

import com.tous.cloud.gateway.handler.JwtAccessDeniedHandler;
import com.tous.cloud.gateway.handler.JwtAuthenticationEntryPoint;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.authentication.AbstractAuthenticationToken;
import org.springframework.security.config.annotation.web.reactive.EnableWebFluxSecurity;
import org.springframework.security.config.web.server.ServerHttpSecurity;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.oauth2.jwt.NimbusReactiveJwtDecoder;
import org.springframework.security.oauth2.jwt.ReactiveJwtDecoder;
import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationConverter;
import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationToken;
import org.springframework.security.oauth2.server.resource.authentication.JwtGrantedAuthoritiesConverter;
import org.springframework.security.oauth2.server.resource.authentication.ReactiveJwtAuthenticationConverter;
import org.springframework.security.web.server.SecurityWebFilterChain;
import reactor.core.publisher.Mono;

import java.util.Collection;
import java.util.Collections;
import java.util.List;
import java.util.Optional;
import java.util.stream.Collectors;


/**
 * @author mengwei
 * @description SecurityConfig
 * @createDate 2025/7/21 17:08
 */
@Configuration
@EnableWebFluxSecurity
public class SecurityConfig {
    /**
     * 安全过滤器链配置
     */
    @Bean
    public SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity http) {

        return http
                .csrf(ServerHttpSecurity.CsrfSpec::disable)
                .formLogin(ServerHttpSecurity.FormLoginSpec::disable)
                .httpBasic(ServerHttpSecurity.HttpBasicSpec::disable)

                // 请求授权配置
                .authorizeExchange(exchanges -> exchanges
                        // 公开接口
                        .pathMatchers(
                                "/auth/**"
                        ).permitAll()

                        // 需要认证的接口
                        .pathMatchers("/api/user/**").hasAnyRole("USER", "ADMIN")
                        .pathMatchers("/api/admin/**").hasRole("ADMIN")

                        // 其他所有请求需要认证
                        .anyExchange().authenticated()
                )

                // OAuth2资源服务器配置
                .oauth2ResourceServer(oauth2 -> oauth2
                        .jwt(jwt -> jwt.jwtDecoder(jwtDecoder())))
                        // 异常处理
                        .exceptionHandling(handling -> handling
                                .authenticationEntryPoint(new JwtAuthenticationEntryPoint())
                                .accessDeniedHandler(new JwtAccessDeniedHandler()))

                        .build();
    }



    /**
     * JWT解码器
     */
    @Bean
    public ReactiveJwtDecoder jwtDecoder() {
        // 替换为您的JWK Set URI
        return NimbusReactiveJwtDecoder.withJwkSetUri("http://127.0.0.1:8080/auth/oauth2/jwks").build();
    }





}
